wpad on pfSense with lighttpd

Setting up proxy auto-configuration on pfSense has a handy documentation page, but sadly the first thing they say is that you have to run the webConfigurator GUI in HTTP mode, which is kind of annoying.

Given the auto-config of nginx (which runs the pfSense GUI) will likely blat any changes I make, I decided to use lighttpd instead.

In short, we’re going to:

  1. install a web server
  2. make a pac file
  3. make it available at a couple of different URLs via that web server
  4. have cake

Here’s how I did it…

Install lighttpd by running the following: sudo pkg install lighttpd

Enable lighttpd by editing rc.conf and add lighttpd_enable=YES to make sure it starts: sudo vi /etc/rc.conf

To find the lighttpd document root, where it serves files from - in case it’s been changed in future:

sudo grep server.document-root /usr/local/etc/lighttpd/lighttpd.conf | egrep -v "^#"

On my 2.4.1 pfSense box it was server.document-root = "/usr/local/www/data/" If you want to change the web server location, edit /usr/local/etc/lighttpd/lighttpd.conf and look for server.document-root

Create the data directory, to keep it separate from the GUI. Also create a default index.html because we like avoiding directory listings…

sudo mkdir -p /usr/local/www/data/
sudo touch /usr/local/www/data/index.html

Create the PAC file (sudo vi /usr/local/www/data/proxy.pac) and put the following in - make sure to change the IP to match your squid box:

function FindProxyForURL(url,host)
 	return "PROXY";

Create the wpad.dat file as a link because some clients need it. This means you only have to edit one file:

sudo ln -s /usr/local/www/data/proxy.pac /usr/local/www/data/wpad.dat

Update the MIME type for wpad.dat to send the right type to the browser, by editing mime.conf. Add this line near the others:

"wpad.dat" => "application/x-ns-proxy-autoconfig",

Restart lighttpd to apply the changes

sudo service lighttpd restart

To make sure lighttpd will start on boot, install the Shellcmd package in the UI, and add the following command (type: shellcmd):

/usr/sbin/service lighttpd start

Check your work

$ curl -vvv
*   Trying
* Connected to ( port 80 (#0)
> GET /proxy.pac HTTP/1.1
> Host:
> User-Agent: curl/7.55.1
> Accept: */*
< HTTP/1.1 200 OK
< Content-Type: application/x-ns-proxy-autoconfig
< Accept-Ranges: bytes
< ETag: "3644651125"
< Last-Modified: Wed, 07 Mar 2018 00:14:40 GMT
< Content-Length: 74
< Date: Wed, 07 Mar 2018 05:11:27 GMT
< Server: lighttpd/1.4.47
 function FindProxyForURL(url,host)
 return "PROXY"; 
* Connection #0 to host left intact

The key things you’re looking for are the Content-Type headers and making sure your file comes back. :)

Update (2018-04-03) - added shellcmd note for on-boot lighttpd.

Update (2018-06-02) - Just a note - if you’re using the letsencrypt packge, use /usr/local/www/data/.well-known/acme-challenge/ as the location for letsencrypt’s webroot, and allow the traffic through on the firewall. :)

#pfsense #wpad #proxies